Skip to content

VULN-DISCLOSURE-POLICY.md: CRLF in data #20157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bagder wants to merge 6 commits into from
Closed

VULN-DISCLOSURE-POLICY.md: CRLF in data #20157

bagder wants to merge 6 commits into from

Conversation

@bagder
Copy link
Member

@bagder bagder commented Jan 2, 2026
edited
Loading

we reject the idea of CRLF injection by the user itself as a general security problem

@bagder
VULN-DISCLOSURE-POLICY.md: CRLF in data
8917c74 
we reject the idea of *CRLF injection* as a security problem
@bagder bagder marked this pull request as ready for review January 2, 2026 09:55
@bagder bagder requested a review from Copilot January 2, 2026 10:00
Copilot AI reviewed Jan 2, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new section to the vulnerability disclosure policy documenting curl's stance on CRLF injection, clarifying that the ability to send carriage-return (CR) and line-feed (LF) characters is an intentional feature rather than a security vulnerability.

  • Adds a "CRLF in data" section explaining curl's policy on handling CRLF sequences
  • Explicitly states that CRLF injection is not considered a security problem
  • Clarifies that users have control over what data they send through curl

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

vszakats
vszakats reviewed Jan 2, 2026
View reviewed changes
@bagder @vszakats
Update docs/VULN-DISCLOSURE-POLICY.md
b93f2f4 
Co-authored-by: Viktor Szakats <vszakats@users.noreply.github.com>
@bagder bagder closed this in ae1597c Jan 2, 2026
@bagder bagder deleted the bagder/crlf branch January 2, 2026 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vszakats vszakats vszakats left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

documentation

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bagder @vszakats